Snort mailing list archives

Re: Load alerts read from file to database

From: Paul Li <paul () scybersecurity com>
Date: Mon, 6 Feb 2017 18:28:37 -0500

Thanks Al for the hints. Much appreciated.  After Snort read a file, all
the alerts are in a snort.log.xxxxx file. I tried to set up barnyard2 read
snort.log as the base from the command line as the following:

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log
-w /var/log/snort/barnyard2.waldo -g snort-user -u snort-pass

But looks like barnyard2 is still reading the snort.u2 base file. here's
c&p the messages from the console:

------console output-----

Using waldo file '/var/log/snort/barnyard2.waldo':

    spool directory = /var/log/snort

    spool filebase  = snort.u2

    time_stamp      = 1486185613

    record_idx      = 0

Opened spool file '/var/log/snort/snort.u2.1486185613'

....

------console output end-----

Tried to edit barnyard2.waldo, but looks like it's a binary file. Is there
a way to make barnyard2 read snort.log.xxxxx instead of snort.u2.xxxxx?


Thanks,

Paul



On Sat, Feb 4, 2017 at 6:10 PM, Al Lewis (allewi) <allewi () cisco com> wrote:

Are the alert files in unified2 format?

You may want to look here for some more info on barnyard.

https://github.com/firnsy/barnyard2


https://github.com/firnsy/barnyard2/tree/master/doc



*Albert Lewis*

ENGINEER.SOFTWARE ENGINEERING

SOURCE*fire*, Inc. now part of *Cisco*

Email: allewi () cisco com

From: Paul Li <paul () scybersecurity com>
Date: Saturday, February 4, 2017 at 1:05 AM
To: 'snort-users' <snort-users () lists sourceforge net>
Subject: [Snort-users] Load alerts read from file to database

I'm using Snort to read a file and Snort generates alerts. But when tried
using Barnyard2 load these alerts to database, no alerts were loaded. Is
there any configuration I should change to make it work, or Barnyard2
doesn't support loading alerts from files?

(When Snort generates alerts from monitoring a networking interface,
Barnyard successfully loaded alerts to the database.)

Thanks,
Paul

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Load alerts read from file to database Paul Li (Feb 03)
- Re: Load alerts read from file to database Al Lewis (allewi) (Feb 04)
  - Re: Load alerts read from file to database Paul Li (Feb 06)
    - Re: Load alerts read from file to database Paul Li (Feb 06)
    - Re: Load alerts read from file to database Tural Aghazada (Feb 06)
    - Re: Load alerts read from file to database wkitty42 (Feb 07)
    - Re: Load alerts read from file to database Marcin Dulak (Feb 07)
    - Re: Load alerts read from file to database Joel Esler (jesler) (Feb 07)